From f8026b6e4c869aa108f6361c8ccd50890657994d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 18 May 2019 10:49:00 +0200 Subject: Move personal websites to modules --- modules/private/websites/aten/builder.nix | 102 +++++++++++++ modules/private/websites/aten/integration.nix | 34 +++++ modules/private/websites/aten/production.nix | 36 +++++ .../websites/capitaines/mastodon_static/index.html | 29 ++++ .../websites/capitaines/mastodon_static/oops.png | Bin 0 -> 120305 bytes modules/private/websites/capitaines/production.nix | 47 ++++++ modules/private/websites/chloe/builder.nix | 103 +++++++++++++ modules/private/websites/chloe/config/chmod.php | 4 + modules/private/websites/chloe/config/connect.php | 15 ++ modules/private/websites/chloe/config/ldap.php | 9 ++ modules/private/websites/chloe/integration.nix | 35 +++++ modules/private/websites/chloe/production.nix | 37 +++++ modules/private/websites/commons/adminer.nix | 21 +++ .../private/websites/connexionswing/builder.nix | 164 +++++++++++++++++++++ .../websites/connexionswing/integration.nix | 35 +++++ .../private/websites/connexionswing/production.nix | 37 +++++ modules/private/websites/default.nix | 39 +++++ .../private/websites/denisejerome/production.nix | 31 ++++ modules/private/websites/emilia/moodle/pause.html | 48 ++++++ modules/private/websites/emilia/production.nix | 69 +++++++++ modules/private/websites/florian/app.nix | 38 +++++ modules/private/websites/florian/builder_app.nix | 152 +++++++++++++++++++ modules/private/websites/florian/integration.nix | 34 +++++ modules/private/websites/florian/production.nix | 34 +++++ modules/private/websites/immae/production.nix | 64 ++++++++ modules/private/websites/immae/release.nix | 39 +++++ modules/private/websites/immae/temp.nix | 36 +++++ modules/private/websites/leila/production.nix | 82 +++++++++++ .../private/websites/ludivinecassal/builder.nix | 155 +++++++++++++++++++ .../websites/ludivinecassal/integration.nix | 34 +++++ .../private/websites/ludivinecassal/production.nix | 35 +++++ modules/private/websites/nassime/production.nix | 34 +++++ .../private/websites/naturaloutil/production.nix | 86 +++++++++++ modules/private/websites/papa/surveillance.nix | 49 ++++++ modules/private/websites/piedsjaloux/builder.nix | 144 ++++++++++++++++++ .../private/websites/piedsjaloux/integration.nix | 34 +++++ .../private/websites/piedsjaloux/production.nix | 36 +++++ 37 files changed, 1981 insertions(+) create mode 100644 modules/private/websites/aten/builder.nix create mode 100644 modules/private/websites/aten/integration.nix create mode 100644 modules/private/websites/aten/production.nix create mode 100644 modules/private/websites/capitaines/mastodon_static/index.html create mode 100644 modules/private/websites/capitaines/mastodon_static/oops.png create mode 100644 modules/private/websites/capitaines/production.nix create mode 100644 modules/private/websites/chloe/builder.nix create mode 100644 modules/private/websites/chloe/config/chmod.php create mode 100644 modules/private/websites/chloe/config/connect.php create mode 100644 modules/private/websites/chloe/config/ldap.php create mode 100644 modules/private/websites/chloe/integration.nix create mode 100644 modules/private/websites/chloe/production.nix create mode 100644 modules/private/websites/commons/adminer.nix create mode 100644 modules/private/websites/connexionswing/builder.nix create mode 100644 modules/private/websites/connexionswing/integration.nix create mode 100644 modules/private/websites/connexionswing/production.nix create mode 100644 modules/private/websites/default.nix create mode 100644 modules/private/websites/denisejerome/production.nix create mode 100644 modules/private/websites/emilia/moodle/pause.html create mode 100644 modules/private/websites/emilia/production.nix create mode 100644 modules/private/websites/florian/app.nix create mode 100644 modules/private/websites/florian/builder_app.nix create mode 100644 modules/private/websites/florian/integration.nix create mode 100644 modules/private/websites/florian/production.nix create mode 100644 modules/private/websites/immae/production.nix create mode 100644 modules/private/websites/immae/release.nix create mode 100644 modules/private/websites/immae/temp.nix create mode 100644 modules/private/websites/leila/production.nix create mode 100644 modules/private/websites/ludivinecassal/builder.nix create mode 100644 modules/private/websites/ludivinecassal/integration.nix create mode 100644 modules/private/websites/ludivinecassal/production.nix create mode 100644 modules/private/websites/nassime/production.nix create mode 100644 modules/private/websites/naturaloutil/production.nix create mode 100644 modules/private/websites/papa/surveillance.nix create mode 100644 modules/private/websites/piedsjaloux/builder.nix create mode 100644 modules/private/websites/piedsjaloux/integration.nix create mode 100644 modules/private/websites/piedsjaloux/production.nix (limited to 'modules/private/websites') diff --git a/modules/private/websites/aten/builder.nix b/modules/private/websites/aten/builder.nix new file mode 100644 index 0000000..9a2e1a7 --- /dev/null +++ b/modules/private/websites/aten/builder.nix @@ -0,0 +1,102 @@ +{ apacheUser, apacheGroup, aten, lib, config }: rec { + app = aten.override { inherit (config) environment; }; + phpFpm = rec { + preStart = '' + if [ ! -f "${app.varDir}/currentWebappDir" -o \ + ! -f "${app.varDir}/currentKey" -o \ + "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ + || ! sha512sum -c --status ${app.varDir}/currentKey; then + pushd ${app} > /dev/null + /run/wrappers/bin/sudo -u ${apacheUser} APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup + popd > /dev/null + echo -n "${app}" > ${app.varDir}/currentWebappDir + sha512sum /var/secrets/webapps/${app.environment}-aten > ${app.varDir}/currentKey + fi + ''; + serviceDeps = [ "postgresql.service" ]; + socket = "/var/run/phpfpm/aten-${app.environment}.sock"; + pool = '' + listen = ${socket} + user = ${apacheUser} + group = ${apacheGroup} + listen.owner = ${apacheUser} + listen.group = ${apacheGroup} + php_admin_value[upload_max_filesize] = 20M + php_admin_value[post_max_size] = 20M + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "${app}:${app.varDir}:/tmp" + php_admin_value[session.save_path] = "${app.varDir}/phpSessions" + ${if app.environment == "dev" then '' + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + env[SYMFONY_DEBUG_MODE] = "yes" + '' else '' + pm = dynamic + pm.max_children = 20 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + ''}''; + }; + keys = [{ + dest = "webapps/${app.environment}-aten"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + SetEnv APP_ENV "${app.environment}" + SetEnv APP_SECRET "${config.secret}" + SetEnv DATABASE_URL "${config.psql_url}" + ''; + }]; + apache = rec { + modules = [ "proxy_fcgi" ]; + webappName = "aten_${app.environment}"; + root = "/run/current-system/webapps/${webappName}"; + vhostConf = '' + + SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + + + Include /var/secrets/webapps/${app.environment}-aten + + ${if app.environment == "dev" then '' + + Use LDAPConnect + Require ldap-group cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu + ErrorDocument 401 "" + + + + Use LDAPConnect + Require ldap-group cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu + ErrorDocument 401 "" + + '' else '' + Use Stats aten.pro + + + Use LDAPConnect + Require ldap-group cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu + ErrorDocument 401 "" + + ''} + + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride All + Require all granted + DirectoryIndex index.php + FallbackResource /index.php + + ''; + }; + activationScript = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} + install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions + ''; + }; +} diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix new file mode 100644 index 0000000..790c5a9 --- /dev/null +++ b/modules/private/websites/aten/integration.nix @@ -0,0 +1,34 @@ +{ lib, pkgs, config, myconfig, ... }: +let + aten = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) aten; + config = myconfig.env.websites.aten.integration; + apacheUser = config.services.httpd.Inte.user; + apacheGroup = config.services.httpd.Inte.group; + }; + + cfg = config.myServices.websites.aten.integration; +in { + options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration"; + + config = lib.mkIf cfg.enable { + secrets.keys = aten.keys; + services.myPhpfpm.preStart.aten_dev = aten.phpFpm.preStart; + services.myPhpfpm.serviceDependencies.aten_dev = aten.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.aten_dev = aten.phpFpm.pool; + system.activationScripts.aten_dev = aten.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${aten.app.webRoot} $out/webapps/${aten.apache.webappName} + ''; + services.websites.integration.modules = aten.apache.modules; + services.websites.integration.vhostConfs.aten = { + certName = "eldiron"; + addToCerts = true; + hosts = [ "dev.aten.pro" ]; + root = aten.apache.root; + extraConfig = [ aten.apache.vhostConf ]; + }; + }; +} + diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix new file mode 100644 index 0000000..697f1b8 --- /dev/null +++ b/modules/private/websites/aten/production.nix @@ -0,0 +1,36 @@ +{ lib, pkgs, config, myconfig, ... }: +let + aten = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) aten; + config = myconfig.env.websites.aten.production; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; + }; + + cfg = config.myServices.websites.aten.production; +in { + options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production"; + + config = lib.mkIf cfg.enable { + secrets.keys = aten.keys; + services.webstats.sites = [ { name = "aten.pro"; } ]; + + services.myPhpfpm.preStart.aten_prod = aten.phpFpm.preStart; + services.myPhpfpm.serviceDependencies.aten_prod = aten.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.aten_prod = aten.phpFpm.pool; + system.activationScripts.aten_prod = aten.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${aten.app.webRoot} $out/webapps/${aten.apache.webappName} + ''; + services.websites.production.modules = aten.apache.modules; + services.websites.production.vhostConfs.aten = { + certName = "aten"; + certMainHost = "aten.pro"; + hosts = [ "aten.pro" "www.aten.pro" ]; + root = aten.apache.root; + extraConfig = [ aten.apache.vhostConf ]; + }; + }; +} + diff --git a/modules/private/websites/capitaines/mastodon_static/index.html b/modules/private/websites/capitaines/mastodon_static/index.html new file mode 100644 index 0000000..fae4152 --- /dev/null +++ b/modules/private/websites/capitaines/mastodon_static/index.html @@ -0,0 +1,29 @@ + + + + + This instance is now closed - Mastodon + + + +
+ Mastodon +

Sorry, this instance is closed now.

+
+ + diff --git a/modules/private/websites/capitaines/mastodon_static/oops.png b/modules/private/websites/capitaines/mastodon_static/oops.png new file mode 100644 index 0000000..0abddad Binary files /dev/null and b/modules/private/websites/capitaines/mastodon_static/oops.png differ diff --git a/modules/private/websites/capitaines/production.nix b/modules/private/websites/capitaines/production.nix new file mode 100644 index 0000000..fe9c619 --- /dev/null +++ b/modules/private/websites/capitaines/production.nix @@ -0,0 +1,47 @@ +{ lib, pkgs, config, myconfig, ... }: +let + cfg = config.myServices.websites.capitaines.production; + env = myconfig.env.websites.capitaines; + webappName = "capitaines_mastodon"; + root = "/run/current-system/webapps/${webappName}"; + siteDir = ./mastodon_static; +in { + options.myServices.websites.capitaines.production.enable = lib.mkEnableOption "enable Capitaines's website"; + + config = lib.mkIf cfg.enable { + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${siteDir} $out/webapps/${webappName} + ''; + + services.websites.production.vhostConfs.capitaines_mastodon = { + certName = "capitaines"; + certMainHost = "mastodon.capitaines.fr"; + hosts = [ "mastodon.capitaines.fr" ]; + root = root; + extraConfig = [ + '' + ErrorDocument 404 /index.html + + DirectoryIndex index.html + Options Indexes FollowSymLinks MultiViews Includes + Require all granted + + '' + ]; + }; + + services.websites.production.vhostConfs.capitaines = { + certName = "capitaines"; + addToCerts = true; + hosts = [ "capitaines.fr" ]; + root = "/run/current-system/webapps/_www"; + extraConfig = [ '' + + DirectoryIndex index.htm + Require all granted + + '' ]; + }; + }; +} diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix new file mode 100644 index 0000000..7b72b97 --- /dev/null +++ b/modules/private/websites/chloe/builder.nix @@ -0,0 +1,103 @@ +{ apacheUser, apacheGroup, chloe, config }: +rec { + app = chloe.override { inherit (config) environment; }; + phpFpm = rec { + serviceDeps = [ "mysql.service" ]; + socket = "/var/run/phpfpm/chloe-${app.environment}.sock"; + pool = '' + listen = ${socket} + user = ${apacheUser} + group = ${apacheGroup} + listen.owner = ${apacheUser} + listen.group = ${apacheGroup} + php_admin_value[upload_max_filesize] = 20M + php_admin_value[post_max_size] = 20M + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" + php_admin_value[session.save_path] = "${app.varDir}/phpSessions" + ${if app.environment == "dev" then '' + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + '' else '' + pm = dynamic + pm.max_children = 20 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + ''}''; + }; + keys = [{ + dest = "webapps/${app.environment}-chloe"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + SetEnv SPIP_CONFIG_DIR "${configDir}" + SetEnv SPIP_VAR_DIR "${app.varDir}" + SetEnv SPIP_SITE "chloe-${app.environment}" + SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" + SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" + SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}" + SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}" + SetEnv SPIP_LDAP_SEARCH "${config.ldap.search}" + SetEnv SPIP_MYSQL_HOST "${config.mysql.host}" + SetEnv SPIP_MYSQL_PORT "${config.mysql.port}" + SetEnv SPIP_MYSQL_DB "${config.mysql.name}" + SetEnv SPIP_MYSQL_USER "${config.mysql.user}" + SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" + ''; + }]; + apache = rec { + modules = [ "proxy_fcgi" ]; + webappName = "chloe_${app.environment}"; + root = "/run/current-system/webapps/${webappName}"; + vhostConf = '' + Include /var/secrets/webapps/${app.environment}-chloe + + RewriteEngine On + ${if app.environment == "prod" then '' + RewriteRule ^/news.rss /spip.php?page=backend&id_rubrique=1 + '' else ""} + + + SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + + + + DirectoryIndex index.php index.htm index.html + Options -Indexes +FollowSymLinks +MultiViews +Includes + Include ${root}/htaccess.txt + + AllowOverride AuthConfig FileInfo Limit + Require all granted + + + + Require all denied + + + + Require all denied + + + ${if app.environment == "dev" then '' + + Use LDAPConnect + Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu + ErrorDocument 401 "" + + '' else '' + Use Stats osteopathe-cc.fr + ''} + ''; + }; + activationScript = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local + install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions + ''; + }; + configDir = ./config; +} diff --git a/modules/private/websites/chloe/config/chmod.php b/modules/private/websites/chloe/config/chmod.php new file mode 100644 index 0000000..aae16cd --- /dev/null +++ b/modules/private/websites/chloe/config/chmod.php @@ -0,0 +1,4 @@ + \ No newline at end of file diff --git a/modules/private/websites/chloe/config/connect.php b/modules/private/websites/chloe/config/connect.php new file mode 100644 index 0000000..18b0933 --- /dev/null +++ b/modules/private/websites/chloe/config/connect.php @@ -0,0 +1,15 @@ + diff --git a/modules/private/websites/chloe/config/ldap.php b/modules/private/websites/chloe/config/ldap.php new file mode 100644 index 0000000..825b7ed --- /dev/null +++ b/modules/private/websites/chloe/config/ldap.php @@ -0,0 +1,9 @@ + array('sAMAccountName','uid','login','userid','cn','sn'),'nom' => 'cn','email' => 'mail','bio' => 'description',); +$GLOBALS['ldap_search'] = getenv("SPIP_LDAP_SEARCH"); +?> diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix new file mode 100644 index 0000000..458e414 --- /dev/null +++ b/modules/private/websites/chloe/integration.nix @@ -0,0 +1,35 @@ +{ lib, pkgs, config, myconfig, ... }: +let + chloe = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) chloe; + config = myconfig.env.websites.chloe.integration; + apacheUser = config.services.httpd.Inte.user; + apacheGroup = config.services.httpd.Inte.group; + }; + + cfg = config.myServices.websites.chloe.integration; +in { + options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration"; + + config = lib.mkIf cfg.enable { + secrets.keys = chloe.keys; + services.myPhpfpm.serviceDependencies.chloe_dev = chloe.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.chloe_dev = chloe.phpFpm.pool; + services.myPhpfpm.poolPhpConfigs.chloe_dev = '' + extension=${pkgs.php}/lib/php/extensions/mysqli.so + ''; + system.activationScripts.chloe_dev = chloe.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${chloe.app.webRoot} $out/webapps/${chloe.apache.webappName} + ''; + services.websites.integration.modules = chloe.apache.modules; + services.websites.integration.vhostConfs.chloe = { + certName = "eldiron"; + addToCerts = true; + hosts = ["chloe.immae.eu" ]; + root = chloe.apache.root; + extraConfig = [ chloe.apache.vhostConf ]; + }; + }; +} diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix new file mode 100644 index 0000000..0eafebd --- /dev/null +++ b/modules/private/websites/chloe/production.nix @@ -0,0 +1,37 @@ +{ lib, pkgs, config, myconfig, ... }: +let + chloe = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) chloe; + config = myconfig.env.websites.chloe.production; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; + }; + + cfg = config.myServices.websites.chloe.production; +in { + options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production"; + + config = lib.mkIf cfg.enable { + secrets.keys = chloe.keys; + services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ]; + + services.myPhpfpm.serviceDependencies.chloe_prod = chloe.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.chloe_prod = chloe.phpFpm.pool; + services.myPhpfpm.poolPhpConfigs.chloe_prod = '' + extension=${pkgs.php}/lib/php/extensions/mysqli.so + ''; + system.activationScripts.chloe_prod = chloe.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${chloe.app.webRoot} $out/webapps/${chloe.apache.webappName} + ''; + services.websites.production.modules = chloe.apache.modules; + services.websites.production.vhostConfs.chloe = { + certName = "chloe"; + certMainHost = "osteopathe-cc.fr"; + hosts = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ]; + root = chloe.apache.root; + extraConfig = [ chloe.apache.vhostConf ]; + }; + }; +} diff --git a/modules/private/websites/commons/adminer.nix b/modules/private/websites/commons/adminer.nix new file mode 100644 index 0000000..98ab461 --- /dev/null +++ b/modules/private/websites/commons/adminer.nix @@ -0,0 +1,21 @@ +{}: +rec { + phpFpm = { + socket = "/var/run/phpfpm/adminer.sock"; + }; + apache = rec { + modules = [ "proxy_fcgi" ]; + webappName = "_adminer"; + root = "/run/current-system/webapps/${webappName}"; + vhostConf = '' + Alias /adminer ${root} + + DirectoryIndex index.php + Require all granted + + SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + + + ''; + }; +} diff --git a/modules/private/websites/connexionswing/builder.nix b/modules/private/websites/connexionswing/builder.nix new file mode 100644 index 0000000..1224420 --- /dev/null +++ b/modules/private/websites/connexionswing/builder.nix @@ -0,0 +1,164 @@ +{ apacheUser, apacheGroup, connexionswing, pkgs, phpPackages, config }: +rec { + app = connexionswing.override { inherit (config) environment; }; + keys = [{ + dest = "webapps/${app.environment}-connexionswing"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${config.mysql.host} + database_port: ${config.mysql.port} + database_name: ${config.mysql.name} + database_user: ${config.mysql.user} + database_password: ${config.mysql.password} + database_server_version: ${pkgs.mariadb.mysqlVersion} + mailer_transport: sendmail + mailer_host: null + mailer_user: null + mailer_password: null + subscription_email: ${config.email} + allow_robots: true + secret: ${config.secret} + ${if app.environment == "prod" then '' + services: + swiftmailer.mailer.default.transport: + class: Swift_SendmailTransport + arguments: ['/run/wrappers/bin/sendmail -bs'] + '' else ""} + ''; + }]; + phpFpm = rec { + preStart = '' + if [ ! -f "${app.varDir}/currentWebappDir" -o \ + ! -f "${app.varDir}/currentKey" -o \ + "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ + || ! sha512sum -c --status ${app.varDir}/currentKey; then + pushd ${app} > /dev/null + /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup + popd > /dev/null + echo -n "${app}" > ${app.varDir}/currentWebappDir + sha512sum /var/secrets/webapps/${app.environment}-connexionswing > ${app.varDir}/currentKey + fi + ''; + serviceDeps = [ "mysql.service" ]; + socket = "/var/run/phpfpm/connexionswing-${app.environment}.sock"; + phpConfig = '' + extension=${phpPackages.imagick}/lib/php/extensions/imagick.so + ''; + pool = '' + listen = ${socket} + user = ${apacheUser} + group = ${apacheGroup} + listen.owner = ${apacheUser} + listen.group = ${apacheGroup} + php_admin_value[upload_max_filesize] = 20M + php_admin_value[post_max_size] = 20M + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/secrets/webapps/${app.environment}-connexionswing:${app}:${app.varDir}:/tmp" + php_admin_value[session.save_path] = "${app.varDir}/phpSessions" + ${if app.environment == "dev" then '' + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + env[SYMFONY_DEBUG_MODE] = "yes" + '' else '' + pm = dynamic + pm.max_children = 20 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + ''}''; + }; + apache = rec { + modules = [ "proxy_fcgi" ]; + webappName = "connexionswing_${app.environment}"; + root = "/run/current-system/webapps/${webappName}"; + vhostConf = '' + + SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + + + + Options FollowSymLinks + AllowOverride None + Require all granted + + + + Options FollowSymLinks + AllowOverride None + Require all granted + + + ${if app.environment == "dev" then '' + + Use LDAPConnect + Require ldap-group cn=connexionswing.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu + ErrorDocument 401 "" + + + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + DirectoryIndex app_dev.php + + + Options -MultiViews + + + + RewriteEngine On + + RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ + RewriteRule ^(.*) - [E=BASE:%1] + + # Maintenance script + RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.php + RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] + ErrorDocument 503 /maintenance.php + + # Sets the HTTP_AUTHORIZATION header removed by Apache + RewriteCond %{HTTP:Authorization} . + RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] + + RewriteCond %{ENV:REDIRECT_STATUS} ^$ + RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] + + # If the requested filename exists, simply serve it. + # We only want to let Apache serve files and not directories. + RewriteCond %{REQUEST_FILENAME} -f + RewriteRule ^ - [L] + + # Rewrite all other queries to the front controller. + RewriteRule ^ %{ENV:BASE}/app_dev.php [L] + + + + '' else '' + Use Stats connexionswing.com + + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride All + Require all granted + + ''} + ''; + }; + activationScript = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \ + ${app.varDir}/medias \ + ${app.varDir}/uploads \ + ${app.varDir}/var + install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions + ''; + }; +} diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix new file mode 100644 index 0000000..c3425bd --- /dev/null +++ b/modules/private/websites/connexionswing/integration.nix @@ -0,0 +1,35 @@ +{ lib, pkgs, config, myconfig, ... }: +let + connexionswing = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) connexionswing; + config = myconfig.env.websites.connexionswing.integration; + apacheUser = config.services.httpd.Inte.user; + apacheGroup = config.services.httpd.Inte.group; + }; + + cfg = config.myServices.websites.connexionswing.integration; +in { + options.myServices.websites.connexionswing.integration.enable = lib.mkEnableOption "enable Connexionswing's website in integration"; + + config = lib.mkIf cfg.enable { + secrets.keys = connexionswing.keys; + services.myPhpfpm.preStart.connexionswing_dev = connexionswing.phpFpm.preStart; + services.myPhpfpm.serviceDependencies.connexionswing_dev = connexionswing.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.connexionswing_dev = connexionswing.phpFpm.pool; + services.myPhpfpm.poolPhpConfigs.connexionswing_dev = connexionswing.phpFpm.phpConfig; + system.activationScripts.connexionswing_dev = connexionswing.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${connexionswing.app.webRoot} $out/webapps/${connexionswing.apache.webappName} + ''; + services.websites.integration.modules = connexionswing.apache.modules; + services.websites.integration.vhostConfs.connexionswing = { + certName = "eldiron"; + addToCerts = true; + hosts = ["connexionswing.immae.eu" "sandetludo.immae.eu" ]; + root = connexionswing.apache.root; + extraConfig = [ connexionswing.apache.vhostConf ]; + }; + }; +} + diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix new file mode 100644 index 0000000..8f28f46 --- /dev/null +++ b/modules/private/websites/connexionswing/production.nix @@ -0,0 +1,37 @@ +{ lib, pkgs, config, myconfig, ... }: +let + connexionswing = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) connexionswing; + config = myconfig.env.websites.connexionswing.production; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; + }; + + cfg = config.myServices.websites.connexionswing.production; +in { + options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production"; + + config = lib.mkIf cfg.enable { + secrets.keys = connexionswing.keys; + services.webstats.sites = [ { name = "connexionswing.com"; } ]; + + services.myPhpfpm.preStart.connexionswing_prod = connexionswing.phpFpm.preStart; + services.myPhpfpm.serviceDependencies.connexionswing_prod = connexionswing.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.connexionswing_prod = connexionswing.phpFpm.pool; + services.myPhpfpm.poolPhpConfigs.connexionswing_prod = connexionswing.phpFpm.phpConfig; + system.activationScripts.connexionswing_prod = connexionswing.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${connexionswing.app.webRoot} $out/webapps/${connexionswing.apache.webappName} + ''; + services.websites.production.modules = connexionswing.apache.modules; + services.websites.production.vhostConfs.connexionswing = { + certName = "connexionswing"; + certMainHost = "connexionswing.com"; + hosts = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ]; + root = connexionswing.apache.root; + extraConfig = [ connexionswing.apache.vhostConf ]; + }; + }; +} + diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix new file mode 100644 index 0000000..80d902e --- /dev/null +++ b/modules/private/websites/default.nix @@ -0,0 +1,39 @@ +{ ... }: +{ + config.myServices.websites.aten.integration.enable = true; + config.myServices.websites.aten.production.enable = true; + + config.myServices.websites.capitaines.production.enable = true; + + config.myServices.websites.chloe.integration.enable = true; + config.myServices.websites.chloe.production.enable = true; + + config.myServices.websites.connexionswing.integration.enable = true; + config.myServices.websites.connexionswing.production.enable = true; + + config.myServices.websites.denisejerome.production.enable = true; + + config.myServices.websites.emilia.production.enable = true; + + config.myServices.websites.florian.app.enable = true; + config.myServices.websites.florian.integration.enable = true; + config.myServices.websites.florian.production.enable = true; + + config.myServices.websites.immae.production.enable = true; + config.myServices.websites.immae.release.enable = true; + config.myServices.websites.immae.temp.enable = true; + + config.myServices.websites.leila.production.enable = true; + + config.myServices.websites.ludivinecassal.integration.enable = true; + config.myServices.websites.ludivinecassal.production.enable = true; + + config.myServices.websites.nassime.production.enable = true; + + config.myServices.websites.naturaloutil.production.enable = true; + + config.myServices.websites.papa.surveillance.enable = true; + + config.myServices.websites.piedsjaloux.integration.enable = true; + config.myServices.websites.piedsjaloux.production.enable = true; +} diff --git a/modules/private/websites/denisejerome/production.nix b/modules/private/websites/denisejerome/production.nix new file mode 100644 index 0000000..b5aff94 --- /dev/null +++ b/modules/private/websites/denisejerome/production.nix @@ -0,0 +1,31 @@ +{ lib, pkgs, config, myconfig, ... }: +let + cfg = config.myServices.websites.denisejerome.production; + varDir = "/var/lib/ftp/denisejerome"; + env = myconfig.env.websites.denisejerome; +in { + options.myServices.websites.denisejerome.production.enable = lib.mkEnableOption "enable Denise Jerome's website"; + + config = lib.mkIf cfg.enable { + services.webstats.sites = [ { name = "denisejerome.piedsjaloux.fr"; } ]; + + services.websites.production.vhostConfs.denisejerome = { + certName = "denisejerome"; + certMainHost = "denisejerome.piedsjaloux.fr"; + hosts = ["denisejerome.piedsjaloux.fr" ]; + root = varDir; + extraConfig = [ + '' + Use Stats denisejerome.piedsjaloux.fr + + + DirectoryIndex index.htm index.html + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride AuthConfig + Require all granted + + '' + ]; + }; + }; +} diff --git a/modules/private/websites/emilia/moodle/pause.html b/modules/private/websites/emilia/moodle/pause.html new file mode 100644 index 0000000..8b99c59 --- /dev/null +++ b/modules/private/websites/emilia/moodle/pause.html @@ -0,0 +1,48 @@ + + + + Pause + + + + +
+

Site web en pause !

+
+

Le site et les cours de photographie sont actuellement en pause.

+
+
+ + diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix new file mode 100644 index 0000000..2e705a1 --- /dev/null +++ b/modules/private/websites/emilia/production.nix @@ -0,0 +1,69 @@ +{ lib, pkgs, config, myconfig, ... }: +let + cfg = config.myServices.websites.emilia.production; + env = myconfig.env.websites.emilia; + varDir = "/var/lib/moodle"; + siteDir = ./moodle; + webappName = "emilia_moodle"; + root = "/run/current-system/webapps/${webappName}"; + # php_admin_value[upload_max_filesize] = 50000000 + # php_admin_value[post_max_size] = 50000000 + configFile = '' + dbtype = 'pgsql'; + $CFG->dblibrary = 'native'; + $CFG->dbhost = '${env.postgresql.host}'; + $CFG->dbname = '${env.postgresql.database}'; + $CFG->dbuser = '${env.postgresql.user}'; + $CFG->dbpass = '${env.postgresql.password}'; + $CFG->prefix = 'mdl_'; + $CFG->dboptions = array ( + 'dbpersist' => 0, + 'dbport' => '${env.postgreesql.port}', + 'dbsocket' => '${env.postgresql.password}', + ); + + $CFG->wwwroot = 'https://www.saison-photo.org'; + $CFG->dataroot = '${varDir}'; + $CFG->admin = 'admin'; + + $CFG->directorypermissions = 02777; + + require_once(__DIR__ . '/lib/setup.php'); + + // There is no php closing tag in this file, + // it is intentional because it prevents trailing whitespace problems! + ''; +in { + options.myServices.websites.emilia.production.enable = lib.mkEnableOption "enable Emilia's website"; + + config = lib.mkIf cfg.enable { + system.activationScripts.emilia = '' + install -m 0755 -o wwwrun -g wwwrun -d ${varDir} + ''; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${siteDir} $out/webapps/${webappName} + ''; + services.websites.production.vhostConfs.emilia = { + certName = "emilia"; + certMainHost = "saison-photo.org"; + hosts = [ "saison-photo.org" "www.saison-photo.org" ]; + root = root; + extraConfig = [ + '' + + DirectoryIndex pause.html + Options Indexes FollowSymLinks MultiViews Includes + Require all granted + + '' + ]; + }; + }; +} diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix new file mode 100644 index 0000000..08506e1 --- /dev/null +++ b/modules/private/websites/florian/app.nix @@ -0,0 +1,38 @@ +{ lib, pkgs, config, myconfig, ... }: +let + adminer = pkgs.callPackage ../commons/adminer.nix {}; + + tellesflorian = pkgs.callPackage ./builder_app.nix { + inherit (pkgs.webapps) tellesflorian; + config = myconfig.env.websites.tellesflorian.integration; + apacheUser = config.services.httpd.Inte.user; + apacheGroup = config.services.httpd.Inte.group; + }; + + cfg = config.myServices.websites.florian.app; +in { + options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration"; + + config = lib.mkIf cfg.enable { + secrets.keys = tellesflorian.keys; + services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian.phpFpm.preStart; + services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.tellesflorian_dev = tellesflorian.phpFpm.pool; + system.activationScripts.tellesflorian_dev = tellesflorian.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${tellesflorian.app.webRoot} $out/webapps/${tellesflorian.apache.webappName} + ''; + services.websites.integration.modules = adminer.apache.modules ++ tellesflorian.apache.modules; + services.websites.integration.vhostConfs.tellesflorian = { + certName = "eldiron"; + addToCerts = true; + hosts = ["app.tellesflorian.com" ]; + root = tellesflorian.apache.root; + extraConfig = [ + tellesflorian.apache.vhostConf + adminer.apache.vhostConf + ]; + }; + }; +} diff --git a/modules/private/websites/florian/builder_app.nix b/modules/private/websites/florian/builder_app.nix new file mode 100644 index 0000000..e521f6e --- /dev/null +++ b/modules/private/websites/florian/builder_app.nix @@ -0,0 +1,152 @@ +{ apacheUser, apacheGroup, tellesflorian, config }: +rec { + app = tellesflorian.override { inherit (config) environment; }; + keys = [ + { + dest = "webapps/${app.environment}-tellesflorian-passwords"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + invite:${config.invite_passwords} + ''; + } + { + dest = "webapps/${app.environment}-tellesflorian"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${config.mysql.host} + database_port: ${config.mysql.port} + database_name: ${config.mysql.name} + database_user: ${config.mysql.user} + database_password: ${config.mysql.password} + mailer_transport: smtp + mailer_host: 127.0.0.1 + mailer_user: null + mailer_password: null + secret: ${config.secret} + ''; + } + ]; + phpFpm = rec { + preStart = '' + if [ ! -f "${app.varDir}/currentWebappDir" -o \ + ! -f "${app.varDir}/currentKey" -o \ + "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ + || ! sha512sum -c --status ${app.varDir}/currentKey; then + pushd ${app} > /dev/null + /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${app.environment} cache:clear --no-warmup + popd > /dev/null + echo -n "${app}" > ${app.varDir}/currentWebappDir + sha512sum /var/secrets/webapps/${app.environment}-tellesflorian > ${app.varDir}/currentKey + fi + ''; + serviceDeps = [ "mysql.service" ]; + socket = "/var/run/phpfpm/floriantelles-${app.environment}.sock"; + pool = '' + listen = ${socket} + user = ${apacheUser} + group = ${apacheGroup} + listen.owner = ${apacheUser} + listen.group = ${apacheGroup} + php_admin_value[upload_max_filesize] = 20M + php_admin_value[post_max_size] = 20M + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-tellesflorian:${app}:${app.varDir}:/tmp" + php_admin_value[session.save_path] = "${app.varDir}/phpSessions" + ${if app.environment == "dev" then '' + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + env[SYMFONY_DEBUG_MODE] = "yes" + '' else '' + pm = dynamic + pm.max_children = 20 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + ''}''; + }; + apache = rec { + modules = [ "proxy_fcgi" ]; + webappName = "florian_${app.environment}"; + root = "/run/current-system/webapps/${webappName}"; + vhostConf = '' + + SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + + + ${if app.environment == "dev" then '' + + AuthBasicProvider file ldap + Use LDAPConnect + Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu + + AuthUserFile "/var/secrets/webapps/${app.environment}-tellesflorian-passwords" + Require user "invite" + + ErrorDocument 401 "" + + + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + DirectoryIndex app_dev.php + + + Options -MultiViews + + + + RewriteEngine On + + RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ + RewriteRule ^(.*) - [E=BASE:%1] + + # Maintenance script + RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.php + RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] + ErrorDocument 503 /maintenance.php + + # Sets the HTTP_AUTHORIZATION header removed by Apache + RewriteCond %{HTTP:Authorization} . + RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] + + RewriteCond %{ENV:REDIRECT_STATUS} ^$ + RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] + + # If the requested filename exists, simply serve it. + # We only want to let Apache serve files and not directories. + RewriteCond %{REQUEST_FILENAME} -f + RewriteRule ^ - [L] + + # Rewrite all other queries to the front controller. + RewriteRule ^ %{ENV:BASE}/app_dev.php [L] + + + + '' else '' + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride All + Require all granted + + ''} + ''; + }; + activationScript = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \ + ${app.varDir}/var + install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions + ''; + }; +} diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix new file mode 100644 index 0000000..424ebd4 --- /dev/null +++ b/modules/private/websites/florian/integration.nix @@ -0,0 +1,34 @@ +{ lib, pkgs, config, myconfig, ... }: +let + adminer = pkgs.callPackage ../commons/adminer.nix {}; + cfg = config.myServices.websites.florian.integration; + varDir = "/var/lib/ftp/florian"; + env = myconfig.env.websites.florian; +in { + options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; + + config = lib.mkIf cfg.enable { + security.acme.certs."ftp".extraDomains."florian.immae.eu" = null; + + services.websites.integration.modules = adminer.apache.modules; + services.websites.integration.vhostConfs.florian = { + certName = "eldiron"; + addToCerts = true; + hosts = [ "florian.immae.eu" ]; + root = "${varDir}/florian.immae.eu"; + extraConfig = [ + adminer.apache.vhostConf + '' + ServerAdmin ${env.server_admin} + + + DirectoryIndex index.php index.htm index.html + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + '' + ]; + }; + }; +} diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix new file mode 100644 index 0000000..9b310b8 --- /dev/null +++ b/modules/private/websites/florian/production.nix @@ -0,0 +1,34 @@ +{ lib, pkgs, config, myconfig, ... }: +let + adminer = pkgs.callPackage ../commons/adminer.nix {}; + cfg = config.myServices.websites.florian.production; + varDir = "/var/lib/ftp/florian"; + env = myconfig.env.websites.florian; +in { + options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; + + config = lib.mkIf cfg.enable { + security.acme.certs."ftp".extraDomains."tellesflorian.com" = null; + + services.websites.production.modules = adminer.apache.modules; + services.websites.production.vhostConfs.florian = { + certName = "florian"; + certMainHost = "tellesflorian.com"; + hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; + root = "${varDir}/tellesflorian.com"; + extraConfig = [ + adminer.apache.vhostConf + '' + ServerAdmin ${env.server_admin} + + + DirectoryIndex index.php index.htm index.html + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + '' + ]; + }; + }; +} diff --git a/modules/private/websites/immae/production.nix b/modules/private/websites/immae/production.nix new file mode 100644 index 0000000..58cf048 --- /dev/null +++ b/modules/private/websites/immae/production.nix @@ -0,0 +1,64 @@ +{ lib, pkgs, config, myconfig, ... }: +let + cfg = config.myServices.websites.immae.production; + varDir = "/var/lib/ftp/immae"; + env = myconfig.env.websites.immae; +in { + options.myServices.websites.immae.production.enable = lib.mkEnableOption "enable Immae's website"; + + config = lib.mkIf cfg.enable { + services.webstats.sites = [ { name = "www.immae.eu"; } ]; + + services.myPhpfpm.poolConfigs.immae = '' + listen = /run/phpfpm/immae.sock + user = wwwrun + group = wwwrun + listen.owner = wwwrun + listen.group = wwwrun + + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + + php_admin_value[open_basedir] = "${varDir}:/tmp" + ''; + services.websites.production.modules = [ "proxy_fcgi" ]; + services.websites.production.vhostConfs.immae = { + certName = "eldiron"; + addToCerts = true; + hosts = [ "www.immae.eu" ]; + root = varDir; + extraConfig = [ + '' + Use Stats www.immae.eu + + + SetHandler "proxy:unix:/run/phpfpm/immae.sock|fcgi://localhost" + + + + DirectoryIndex index.php index.htm index.html + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride All + Require all granted + + + + Use LDAPConnect + Require ldap-group cn=blog,cn=immae.eu,ou=services,dc=immae,dc=eu + + '' + ]; + }; + + services.websites.production.vhostConfs.bouya = { + certName = "eldiron"; + addToCerts = true; + hosts = [ "bouya.org" "www.bouya.org" ]; + root = null; + extraConfig = [ '' + RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://www.normalesup.org/~bouya/ + '' ]; + }; + }; +} diff --git a/modules/private/websites/immae/release.nix b/modules/private/websites/immae/release.nix new file mode 100644 index 0000000..68381a6 --- /dev/null +++ b/modules/private/websites/immae/release.nix @@ -0,0 +1,39 @@ +{ lib, pkgs, config, myconfig, ... }: +let + cfg = config.myServices.websites.immae.release; + varDir = "/var/lib/ftp/release.immae.eu"; + env = myconfig.env.websites.release; +in { + options.myServices.websites.immae.release.enable = lib.mkEnableOption "enable Release' website"; + + config = lib.mkIf cfg.enable { + services.webstats.sites = [ { name = "release.immae.eu"; } ]; + + services.websites.production.vhostConfs.release = { + certName = "eldiron"; + addToCerts = true; + hosts = [ "release.immae.eu" ]; + root = varDir; + extraConfig = [ + '' + Use Stats release.immae.eu + + Use Apaxy "${varDir}" "title .duplicity-ignore" + + Use LDAPConnect + Options Indexes + AllowOverride All + Require all granted + + + + Use LDAPConnect + Options Indexes FollowSymlinks + AllowOverride None + Require all granted + + '' + ]; + }; + }; +} diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix new file mode 100644 index 0000000..0b2a3a3 --- /dev/null +++ b/modules/private/websites/immae/temp.nix @@ -0,0 +1,36 @@ +{ lib, pkgs, config, myconfig, ... }: +let + cfg = config.myServices.websites.immae.temp; + varDir = "/var/lib/ftp/temp.immae.eu"; + env = myconfig.env.websites.temp; +in { + options.myServices.websites.immae.temp.enable = lib.mkEnableOption "enable Temp' website"; + + config = lib.mkIf cfg.enable { + services.websites.production.modules = [ "headers" ]; + services.websites.production.vhostConfs.temp = { + certName = "eldiron"; + addToCerts = true; + hosts = [ "temp.immae.eu" ]; + root = varDir; + extraConfig = [ + '' + Use Apaxy "${varDir}" "title .duplicity-ignore" + + Header set Content-Disposition attachment + + + Options -Indexes + AllowOverride None + Require all granted + + + + Options Indexes + + '' + ]; + }; + }; +} + diff --git a/modules/private/websites/leila/production.nix b/modules/private/websites/leila/production.nix new file mode 100644 index 0000000..1ce8eea --- /dev/null +++ b/modules/private/websites/leila/production.nix @@ -0,0 +1,82 @@ +{ lib, pkgs, config, ... }: +let + cfg = config.myServices.websites.leila.production; + varDir = "/var/lib/ftp/leila"; +in { + options.myServices.websites.leila.production.enable = lib.mkEnableOption "enable Leila's website in production"; + + config = lib.mkIf cfg.enable { + services.myPhpfpm.poolConfigs.leila = '' + listen = /run/phpfpm/leila.sock + user = wwwrun + group = wwwrun + listen.owner = wwwrun + listen.group = wwwrun + + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + + php_admin_value[open_basedir] = "${varDir}:/tmp" + ''; + + services.webstats.sites = [ + { name = "leila.bouya.org"; } + { name = "chorale.leila.bouya.org"; } + ]; + + services.websites.production.modules = [ "proxy_fcgi" ]; + services.websites.production.vhostConfs.leila_chorale = { + certName = "leila"; + addToCerts = true; + hosts = [ "chorale.leila.bouya.org" "chorale-vocanta.fr.nf" "www.chorale-vocanta.fr.nf" ]; + root = "${varDir}/Chorale"; + extraConfig = [ + '' + Use Stats chorale.leila.bouya.org + + DirectoryIndex index.php index.htm index.html + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + + Use LDAPConnect + Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu + + + SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" + + + '' + ]; + }; + services.websites.production.vhostConfs.leila = { + certName = "leila"; + certMainHost = "leila.bouya.org"; + hosts = [ "leila.bouya.org" ]; + root = varDir; + extraConfig = [ + '' + Use Stats leila.bouya.org + + DirectoryIndex index.htm index.html + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + + Use LDAPConnect + Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu + + + SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" + + + + DirectoryIndex index.htm index.html + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + '' + ]; + }; + }; +} diff --git a/modules/private/websites/ludivinecassal/builder.nix b/modules/private/websites/ludivinecassal/builder.nix new file mode 100644 index 0000000..3167bce --- /dev/null +++ b/modules/private/websites/ludivinecassal/builder.nix @@ -0,0 +1,155 @@ +{ apacheUser, apacheGroup, config, ludivinecassal, pkgs, ruby, sass, imagemagick }: +rec { + app = ludivinecassal.override { inherit (config) environment; }; + varDir = "/var/lib/ludivinecassal_${app.environment}"; + keys = [{ + dest = "webapps/${app.environment}-ludivinecassal"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${config.mysql.host} + database_port: ${config.mysql.port} + database_name: ${config.mysql.name} + database_user: ${config.mysql.user} + database_password: ${config.mysql.password} + database_server_version: ${pkgs.mariadb.mysqlVersion} + mailer_transport: smtp + mailer_host: 127.0.0.1 + mailer_user: null + mailer_password: null + secret: ${config.secret} + ldap_host: ldap.immae.eu + ldap_port: 636 + ldap_version: 3 + ldap_ssl: true + ldap_tls: false + ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' + ldap_base_dn: 'dc=immae,dc=eu' + ldap_search_dn: '${config.ldap.dn}' + ldap_search_password: '${config.ldap.password}' + ldap_search_filter: '${config.ldap.search}' + leapt_im: + binary_path: ${imagemagick}/bin + assetic: + sass: ${sass}/bin/sass + ruby: ${ruby}/bin/ruby + ''; + }]; + phpFpm = rec { + preStart = '' + if [ ! -f "${app.varDir}/currentWebappDir" -o \ + ! -f "${app.varDir}/currentKey" -o \ + "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ + || ! sha512sum -c --status ${app.varDir}/currentKey; then + pushd ${app} > /dev/null + /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup + popd > /dev/null + echo -n "${app}" > ${app.varDir}/currentWebappDir + sha512sum /var/secrets/webapps/${app.environment}-ludivinecassal > ${app.varDir}/currentKey + fi + ''; + serviceDeps = [ "mysql.service" ]; + socket = "/var/run/phpfpm/ludivinecassal-${app.environment}.sock"; + pool = '' + listen = ${socket} + user = ${apacheUser} + group = ${apacheGroup} + listen.owner = ${apacheUser} + listen.group = ${apacheGroup} + php_admin_value[upload_max_filesize] = 20M + php_admin_value[post_max_size] = 20M + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-ludivinecassal:${app}:${app.varDir}:/tmp" + php_admin_value[session.save_path] = "${app.varDir}/phpSessions" + ${if app.environment == "dev" then '' + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + env[SYMFONY_DEBUG_MODE] = "yes" + '' else '' + pm = dynamic + pm.max_children = 20 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + ''}''; + }; + apache = rec { + modules = [ "proxy_fcgi" ]; + webappName = "ludivine_${app.environment}"; + root = "/run/current-system/webapps/${webappName}"; + vhostConf = '' + + SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + + + ${if app.environment == "dev" then '' + + Use LDAPConnect + Require ldap-group cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu + ErrorDocument 401 "" + + + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + DirectoryIndex app_dev.php + + + Options -MultiViews + + + + RewriteEngine On + + RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ + RewriteRule ^(.*) - [E=BASE:%1] + + # Maintenance script + RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.php + RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] + ErrorDocument 503 /maintenance.php + + # Sets the HTTP_AUTHORIZATION header removed by Apache + RewriteCond %{HTTP:Authorization} . + RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] + + RewriteCond %{ENV:REDIRECT_STATUS} ^$ + RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] + + # If the requested filename exists, simply serve it. + # We only want to let Apache serve files and not directories. + RewriteCond %{REQUEST_FILENAME} -f + RewriteRule ^ - [L] + + # Rewrite all other queries to the front controller. + RewriteRule ^ %{ENV:BASE}/app_dev.php [L] + + + + '' else '' + Use Stats ludivinecassal.com + + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride All + Require all granted + + ''} + ''; + }; + activationScript = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/tmp + install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions + ''; + }; +} diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix new file mode 100644 index 0000000..0be067b --- /dev/null +++ b/modules/private/websites/ludivinecassal/integration.nix @@ -0,0 +1,34 @@ +{ lib, pkgs, config, myconfig, ... }: +let + ludivinecassal = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) ludivinecassal; + config = myconfig.env.websites.ludivinecassal.integration; + apacheUser = config.services.httpd.Inte.user; + apacheGroup = config.services.httpd.Inte.group; + }; + + cfg = config.myServices.websites.ludivinecassal.integration; +in { + options.myServices.websites.ludivinecassal.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration"; + + config = lib.mkIf cfg.enable { + secrets.keys = ludivinecassal.keys; + + services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal.phpFpm.preStart; + services.myPhpfpm.serviceDependencies.ludivinecassal_dev = ludivinecassal.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.ludivinecassal_dev = ludivinecassal.phpFpm.pool; + system.activationScripts.ludivinecassal_dev = ludivinecassal.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${ludivinecassal.app.webRoot} $out/webapps/${ludivinecassal.apache.webappName} + ''; + services.websites.integration.modules = ludivinecassal.apache.modules; + services.websites.integration.vhostConfs.ludivine = { + certName = "eldiron"; + addToCerts = true; + hosts = [ "ludivine.immae.eu" ]; + root = ludivinecassal.apache.root; + extraConfig = [ ludivinecassal.apache.vhostConf ]; + }; + }; +} diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix new file mode 100644 index 0000000..c5de698 --- /dev/null +++ b/modules/private/websites/ludivinecassal/production.nix @@ -0,0 +1,35 @@ +{ lib, pkgs, config, myconfig, ... }: +let + ludivinecassal = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) ludivinecassal; + config = myconfig.env.websites.ludivinecassal.production; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; + }; + + cfg = config.myServices.websites.ludivinecassal.production; +in { + options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production"; + + config = lib.mkIf cfg.enable { + secrets.keys = ludivinecassal.keys; + services.webstats.sites = [ { name = "ludivinecassal.com"; } ]; + + services.myPhpfpm.preStart.ludivinecassal_prod = ludivinecassal.phpFpm.preStart; + services.myPhpfpm.serviceDependencies.ludivinecassal_prod = ludivinecassal.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.ludivinecassal_prod = ludivinecassal.phpFpm.pool; + system.activationScripts.ludivinecassal_prod = ludivinecassal.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${ludivinecassal.app.webRoot} $out/webapps/${ludivinecassal.apache.webappName} + ''; + services.websites.production.modules = ludivinecassal.apache.modules; + services.websites.production.vhostConfs.ludivine = { + certName = "ludivinecassal"; + certMainHost = "ludivinecassal.com"; + hosts = ["ludivinecassal.com" "www.ludivinecassal.com" ]; + root = ludivinecassal.apache.root; + extraConfig = [ ludivinecassal.apache.vhostConf ]; + }; + }; +} diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix new file mode 100644 index 0000000..a109778 --- /dev/null +++ b/modules/private/websites/nassime/production.nix @@ -0,0 +1,34 @@ +{ lib, pkgs, config, myconfig, ... }: +let + cfg = config.myServices.websites.nassime.production; + varDir = "/var/lib/ftp/nassime"; + env = myconfig.env.websites.nassime; +in { + options.myServices.websites.nassime.production.enable = lib.mkEnableOption "enable Nassime's website"; + + config = lib.mkIf cfg.enable { + services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; + + security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null; + + services.websites.production.vhostConfs.nassime = { + certName = "nassime"; + certMainHost = "nassime.bouya.org"; + hosts = ["nassime.bouya.org" ]; + root = varDir; + extraConfig = [ + '' + Use Stats nassime.bouya.org + ServerAdmin ${env.server_admin} + + + DirectoryIndex index.php index.htm index.html + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + '' + ]; + }; + }; +} diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix new file mode 100644 index 0000000..b6cf069 --- /dev/null +++ b/modules/private/websites/naturaloutil/production.nix @@ -0,0 +1,86 @@ +{ lib, pkgs, config, myconfig, ... }: +let + adminer = pkgs.callPackage ../commons/adminer.nix {}; + cfg = config.myServices.websites.naturaloutil.production; + varDir = "/var/lib/ftp/jerome"; + env = myconfig.env.websites.jerome; +in { + options.myServices.websites.naturaloutil.production.enable = lib.mkEnableOption "enable Naturaloutil's website"; + + config = lib.mkIf cfg.enable { + services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; + + security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; + + secrets.keys = [{ + dest = "webapps/prod-naturaloutil"; + user = "wwwrun"; + group = "wwwrun"; + permissions = "0400"; + text = '' + ssl_set(NULL, NULL, "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt", NULL, NULL); + '' else ""} + $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password); + ?> + ''; + }]; + services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" ]; + services.myPhpfpm.poolConfigs.jerome = '' + listen = /run/phpfpm/naturaloutil.sock + user = wwwrun + group = wwwrun + listen.owner = wwwrun + listen.group = wwwrun + + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + + env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil" + php_admin_value[open_basedir] = "/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp" + ''; + services.myPhpfpm.poolPhpConfigs.jerome = '' + extension=${pkgs.php}/lib/php/extensions/mysqli.so + ''; + services.websites.production.modules = adminer.apache.modules ++ [ "proxy_fcgi" ]; + services.websites.production.vhostConfs.naturaloutil = { + certName = "naturaloutil"; + certMainHost = "naturaloutil.immae.eu"; + hosts = ["naturaloutil.immae.eu" ]; + root = varDir; + extraConfig = [ + adminer.apache.vhostConf + '' + Use Stats naturaloutil.immae.eu + ServerAdmin ${env.server_admin} + ErrorLog "${varDir}/logs/error_log" + CustomLog "${varDir}/logs/access_log" combined + + + SetHandler "proxy:unix:/run/phpfpm/naturaloutil.sock|fcgi://localhost" + + + + AllowOverride None + Require all denied + + + DirectoryIndex index.php index.htm index.html + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + '' + ]; + }; + }; +} diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix new file mode 100644 index 0000000..8e7cd9d --- /dev/null +++ b/modules/private/websites/papa/surveillance.nix @@ -0,0 +1,49 @@ +{ lib, pkgs, config, myconfig, ... }: +let + cfg = config.myServices.websites.papa.surveillance; + varDir = "/var/lib/ftp/papa"; +in { + options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; + + config = lib.mkIf cfg.enable { + security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; + + services.cron = { + systemCronJobs = let + script = pkgs.writeScript "cleanup-papa" '' + #!${pkgs.stdenv.shell} + d=$(date -d "7 days ago" +%Y%m%d) + for i in /var/lib/ftp/papa/*/20[0-9][0-9][0-9][0-9][0-9][0-9]; do + if [ "$d" -gt $(basename $i) ]; then + rm -rf "$i" + fi + done + ''; + in + [ + '' + 0 6 * * * wwwrun ${script} + '' + ]; + }; + + services.websites.production.vhostConfs.papa = { + certName = "papa"; + certMainHost = "surveillance.maison.bbc.bouya.org"; + hosts = [ "surveillance.maison.bbc.bouya.org" ]; + root = varDir; + extraConfig = [ + '' + Use Apaxy "${varDir}" "title .duplicity-ignore" + + Use LDAPConnect + Options Indexes + AllowOverride None + Require ldap-group cn=surveillance.maison.bbc.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu + + '' + ]; + }; + }; +} + diff --git a/modules/private/websites/piedsjaloux/builder.nix b/modules/private/websites/piedsjaloux/builder.nix new file mode 100644 index 0000000..9fcc8fb --- /dev/null +++ b/modules/private/websites/piedsjaloux/builder.nix @@ -0,0 +1,144 @@ +{ apacheUser, apacheGroup, piedsjaloux, config, pkgs, lib, texlive, imagemagick }: +rec { + app = piedsjaloux.override { inherit (config) environment; }; + varDir = "/var/lib/piedsjaloux_${app.environment}"; + keys = [{ + dest = "webapps/${app.environment}-piedsjaloux"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + # This file is auto-generated during the composer install + parameters: + database_host: ${config.mysql.host} + database_port: ${config.mysql.port} + database_name: ${config.mysql.name} + database_user: ${config.mysql.user} + database_password: ${config.mysql.password} + database_server_version: ${pkgs.mariadb.mysqlVersion} + mailer_transport: smtp + mailer_host: 127.0.0.1 + mailer_user: null + mailer_password: null + secret: ${config.secret} + pdflatex: "${texlive.combine { inherit (texlive) attachfile preprint scheme-small; }}/bin/pdflatex" + leapt_im: + binary_path: ${imagemagick}/bin + ''; + }]; + phpFpm = rec { + preStart = '' + if [ ! -f "${app.varDir}/currentWebappDir" -o \ + ! -f "${app.varDir}/currentKey" -o \ + "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ + || ! sha512sum -c --status ${app.varDir}/currentKey; then + pushd ${app} > /dev/null + /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup + popd > /dev/null + echo -n "${app}" > ${app.varDir}/currentWebappDir + sha512sum /var/secrets/webapps/${app.environment}-piedsjaloux > ${app.varDir}/currentKey + fi + ''; + serviceDeps = [ "mysql.service" ]; + socket = "/var/run/phpfpm/piedsjaloux-${app.environment}.sock"; + pool = '' + listen = ${socket} + user = ${apacheUser} + group = ${apacheGroup} + listen.owner = ${apacheUser} + listen.group = ${apacheGroup} + php_admin_value[upload_max_filesize] = 20M + php_admin_value[post_max_size] = 20M + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-piedsjaloux:${app}:${app.varDir}:/tmp" + php_admin_value[session.save_path] = "${app.varDir}/phpSessions" + env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} + ${if app.environment == "dev" then '' + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + env[SYMFONY_DEBUG_MODE] = "yes" + '' else '' + pm = dynamic + pm.max_children = 20 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + ''}''; + }; + apache = rec { + modules = [ "proxy_fcgi" ]; + webappName = "piedsjaloux_${app.environment}"; + root = "/run/current-system/webapps/${webappName}"; + vhostConf = '' + + SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + + + ${if app.environment == "dev" then '' + + Use LDAPConnect + Require ldap-group cn=piedsjaloux.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu + ErrorDocument 401 "" + + + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + DirectoryIndex app_dev.php + + + Options -MultiViews + + + + RewriteEngine On + + RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ + RewriteRule ^(.*) - [E=BASE:%1] + + # Maintenance script + RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.php + RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] + ErrorDocument 503 /maintenance.php + + # Sets the HTTP_AUTHORIZATION header removed by Apache + RewriteCond %{HTTP:Authorization} . + RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] + + RewriteCond %{ENV:REDIRECT_STATUS} ^$ + RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] + + # If the requested filename exists, simply serve it. + # We only want to let Apache serve files and not directories. + RewriteCond %{REQUEST_FILENAME} -f + RewriteRule ^ - [L] + + # Rewrite all other queries to the front controller. + RewriteRule ^ %{ENV:BASE}/app_dev.php [L] + + + + '' else '' + Use Stats piedsjaloux.fr + + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride All + Require all granted + + ''} + ''; + }; + activationScript = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \ + ${app.varDir}/tmp + install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions + ''; + }; +} diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix new file mode 100644 index 0000000..6249e85 --- /dev/null +++ b/modules/private/websites/piedsjaloux/integration.nix @@ -0,0 +1,34 @@ +{ lib, pkgs, config, myconfig, ... }: +let + piedsjaloux = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) piedsjaloux; + config = myconfig.env.websites.piedsjaloux.integration; + apacheUser = config.services.httpd.Inte.user; + apacheGroup = config.services.httpd.Inte.group; + }; + + cfg = config.myServices.websites.piedsjaloux.integration; +in { + options.myServices.websites.piedsjaloux.integration.enable = lib.mkEnableOption "enable PiedsJaloux's website in integration"; + + config = lib.mkIf cfg.enable { + secrets.keys = piedsjaloux.keys; + services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux.phpFpm.preStart; + services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux.phpFpm.pool; + system.activationScripts.piedsjaloux_dev = piedsjaloux.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${piedsjaloux.app.webRoot} $out/webapps/${piedsjaloux.apache.webappName} + ''; + services.websites.integration.modules = piedsjaloux.apache.modules; + services.websites.integration.vhostConfs.piedsjaloux = { + certName = "eldiron"; + addToCerts = true; + hosts = [ "piedsjaloux.immae.eu" ]; + root = piedsjaloux.apache.root; + extraConfig = [ piedsjaloux.apache.vhostConf ]; + }; + }; +} + diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix new file mode 100644 index 0000000..afa1667 --- /dev/null +++ b/modules/private/websites/piedsjaloux/production.nix @@ -0,0 +1,36 @@ +{ lib, pkgs, config, myconfig, ... }: +let + piedsjaloux = pkgs.callPackage ./builder.nix { + inherit (pkgs.webapps) piedsjaloux; + config = myconfig.env.websites.piedsjaloux.production; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; + }; + + cfg = config.myServices.websites.piedsjaloux.production; +in { + options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production"; + + config = lib.mkIf cfg.enable { + secrets.keys = piedsjaloux.keys; + services.webstats.sites = [ { name = "piedsjaloux.fr"; } ]; + + services.myPhpfpm.preStart.piedsjaloux_prod = piedsjaloux.phpFpm.preStart; + services.myPhpfpm.serviceDependencies.piedsjaloux_prod = piedsjaloux.phpFpm.serviceDeps; + services.myPhpfpm.poolConfigs.piedsjaloux_prod = piedsjaloux.phpFpm.pool; + system.activationScripts.piedsjaloux_prod = piedsjaloux.activationScript; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${piedsjaloux.app.webRoot} $out/webapps/${piedsjaloux.apache.webappName} + ''; + services.websites.production.modules = piedsjaloux.apache.modules; + services.websites.production.vhostConfs.piedsjaloux = { + certName = "piedsjaloux"; + certMainHost = "piedsjaloux.fr"; + hosts = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ]; + root = piedsjaloux.apache.root; + extraConfig = [ piedsjaloux.apache.vhostConf ]; + }; + }; +} + -- cgit v1.2.3